11 August 2012

20 April 2012

James Fallows had an article in the Atlantic last year that did a good job of scaring the wits out of me, as any entertaining and informative security article should. Fallows described what happened when his wife’s Gmail account was hacked and she (briefly, before friends of theirs at Google saved the day) lost the entire contents of her Gmail account. The experience got Fallows thinking about how vulnerable we are when we store our information in the cloud.

My passwords are strong — and I’m hoping yours are too after reading the articles on DtheK — but what if your account gets broken into anyway, either through a server problem, hacker, or some other issue? Most of us would be willing to expend considerable effort to prevent the loss of all of our email data in such a worst case scenario, so I’ve compiled a few ways you can protect yourself. Each method is rated by difficulty, using the “Grandma Frustration-O-Meter” gold standard.

Options for backing up your email accounts

Use a desktop client like Microsoft Outlook, Zimbra, or Mozilla Firebird to download and store copies of your emails on your hard drive. Grandma-Frustration-O-Meter: What the dang is POP3? Aaack!

If you want to backup a Gmail account, start a new Hotmail account. Then ask Hotmail to store copies of your emails. Or vice versa if you use Hotmail and want Gmail to store your emails. I haven’t looked into Yahoo, but I’m guessing something similar might work for that. Grandma-Frustration-O-Meter: Goes down easier than a warm glass of milk.

Use Backupify, an online service that claims to be able to store all of your Gmail account information and settings, then restore it to a Gmail account at any time. Sounds great, but of course you have to trust Backupify with your email content. Even if you trust Backupify to keep your information private, you now have to worry about two websites that could potentially get hacked instead of just one. Grandma-Frustration-O-Meter: Remember the warm glass of milk? It’s like that, but pricier.

Pray. Don’t worry about backups, use the password “Lucky123” for every account on the internet, and pray that trouble won’t befall you. Grandma-Frustration-O-Meter: Ignorance is bliss… while it lasts

While I am uneasy about giving my email password to anyone but Google, I have chosen options 1 and 2 (note that options 3 and 4 require trusting another program, company, or website with your password, too). Make your choice, and may the odds be ever in your favor.

18 February 2012

For those who are using Password Safe, or some other password management program, a quick word of caution: back up your password databases! Send copies to your email address. Store them on USB sticks. Send copies via email to friends. Upload them to Dropbox.

Since good password management systems store passwords in encrypted databases, it doesn’t hurt to have a few copies of the database floating around in the world. If your database gets corrupted or you lose your database, you can always revert to one of the backups. I’ve had two corrupted PasswordSafe databases in a few years of usage, so it’s a rare but perfectly plausible event that you should plan for. There’s also the possibility that your hard drive crashes or your laptop gets stolen, and you lose your database that way. So plan for the worst, and make frequent backups of your database!

4 February 2012

Commenter dearjym notes that, in some instances, crooks may be trying to crack your passwords at a rate of hundreds of thousands of passwords per second. He’s right.

Where true, the math I presented in this recent post starts to look a little shaky. See this rather arresting summary via a blogger who used to post on topics similar to those featured at Defending the Kingdom.

So let’s be specific about where we’re likely to get into trouble with short-ish passwords. First, it’s unlikely that internet bots can try more than one (or maybe a few) passwords per second over the internet. Bandwidth speeds and server response times are the primary breaks on the process, and some websites purposely slow things even further after a few wrong tries. Some programs on personal computers also make an effort to retard the password verification process in computer time (making the process last 0.5 seconds rather than 0.0001 second, perhaps, which is indistinguishable to most users but not computers). Password Safe is one such program.

But some programs are not built so securely, and this is where we can run into trouble. As generic advice, it wouldn’t be a bad idea to use very long passwords (15 to 30 digits) for Microsoft Office files, Zip files, password protected folders, or any other program for which you’re unsure what password trial limiting features it has.

Dictionary words as passwords

The commenter also makes an interesting point about using multiple dictionary words to make memorable yet safe passwords. He suggests that putting three dictionary words together can make for a very good password. He’s right. Apparently, there are around 170,000 words in a very popular dictionary. Assuming that all of them are equally suitable as memorable words for use within a password (or, more to the point, assuming that password crackers wouldn’t be able to distinguish memorable from unmemorable words), that makes for 5,000 trillion possible password combinations. Note, though, that the number drops to around 5 trillion combinations if we assume that only 10% of words in the dictionary are memorable enough to use within a password.